Case law: Pharmacy fined £275k for storing records containing personal data in back yard
Businesses should take their responsibilities under data protection law seriously, ensure old records are dealt with lawfully and respond promptly to questions legally asked by the Information Commissioner’s Office, or risk significant fines.
This update was published in Legal Alert - March 2020
Legal Alert is a monthly checklist from Atom Content Marketing highlighting new and pending laws, regulations, codes of practice and rulings that could have an impact on your business.
A pharmacy was found to have stored 47 unlocked boxes, bags and a cardboard box containing about half a million documents in the outside back yard of its premises which, when they were discovered, were soaking wet. The documents contained confidential data about a large number of individuals, including elderly people in care homes.
The pharmacy was initially uncooperative when the Information Commissioner’s Office (ICO) – the body responsible for data protection compliance in the UK – investigated whether there had been breaches of the General Data Protection Regulation (GDPR), which came into force in the UK in May 2018. The ICO had to issue a notice requiring them to answer its questions.
When it did reply it became clear that:
- The pharmacy had no formal policy on retaining documents.
- Many of the compliance documents the pharmacy was using were out of date – they preceded the coming into force of the GDPR – and some were standard precedents that had not been adapted to the pharmacy’s business.
- Leaving documents in the yard, where they could and did get wet, showed the documents were not protected against accidental loss, destruction or damage as required under data protection law.
The pharmacy also said that its shredding company had let it down, but was unable to produce a contract with any such company - and some documents dated from 2016 but had not been shredded - which cast doubt on this.
The ICO took into account the pharmacy’s size and financial situation, and what it had done to improve its systems since being investigated, and fined it £275k.
- Businesses should take their responsibilities under data protection law seriously, ensure old records are dealt with lawfully and respond promptly to questions legally asked by ICO, or risk significant fines.
Disclaimer: This article from Atom Content Marketing is for general guidance only, for businesses in the United Kingdom governed by the laws of England. Atom Content Marketing, expert contributors and ICAEW (as distributor) disclaim all liability for any errors or omissions.
Copyright © Atom Content Marketing